CVE-2026-49416
- EPSS 0.11%
- Veröffentlicht 27.06.2026 09:25:12
- Zuletzt bearbeitet 01.07.2026 14:04:11
The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the b...
CVE-2026-49414
- EPSS 0.11%
- Veröffentlicht 27.06.2026 09:22:23
- Zuletzt bearbeitet 01.07.2026 14:04:23
The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base a...
CVE-2026-49413
- EPSS 0.1%
- Veröffentlicht 27.06.2026 09:16:24
- Zuletzt bearbeitet 01.07.2026 14:04:37
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to ...
- EPSS 0.13%
- Veröffentlicht 27.06.2026 09:16:24
- Zuletzt bearbeitet 01.07.2026 14:04:31
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes...
CVE-2026-49412
- EPSS 0.1%
- Veröffentlicht 27.06.2026 09:16:23
- Zuletzt bearbeitet 01.07.2026 14:04:44
The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a...
CVE-2026-45258
- EPSS 0.15%
- Veröffentlicht 27.06.2026 09:16:22
- Zuletzt bearbeitet 01.07.2026 14:04:59
dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset wa...
CVE-2026-45259
- EPSS 0.09%
- Veröffentlicht 27.06.2026 09:16:22
- Zuletzt bearbeitet 01.07.2026 14:04:51
sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID. A process...
CVE-2026-45257
- EPSS 0.15%
- Veröffentlicht 26.06.2026 14:50:27
- Zuletzt bearbeitet 27.06.2026 05:16:45
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory d...
CVE-2026-45256
- EPSS 0.09%
- Veröffentlicht 26.06.2026 14:43:22
- Zuletzt bearbeitet 26.06.2026 18:58:48
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check fail...
CVE-2026-45251
- EPSS 0.17%
- Veröffentlicht 21.05.2026 10:16:26
- Zuletzt bearbeitet 21.05.2026 19:01:22
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed wh...